locked
IPSec-VPN with Windows Firewall + Routing&RAS with PortForwarding and Ping? RRS feed

  • Question

  • Hello,

    i have a little complex question.

    The Scenario is following:

    - One physical Server, called Hyper-V-Host, which is located in a big Data-Center, Windows Server 2012

    - Some vritual HyperV-Machines, Windows Server 2012, Winows 7

    On the physical Server we have enabled a virtual Switch with two virtual Interfaces, one called "external", one called "internal".

    We have enabled NAT via Routing and RAS, because the virtual machines does need access to the internet of course. Every VM gets the virtual "internal" NIC assigned.

    Also, we have some IPSec-Connections to different Routers of Locations of the Customer. These IPSec-Tunnels are created with the Windows Built-In extended Firewall.

    First thing to mention is, that if routing and ras is enabled a ping to the outside networks is not answered. If i disable Routing&RAS  the ping to the outside networks works just fine. because we need ping only for debug, this is no problem so far, but now here comes my problem.

    i need a RDP-Connection from one client of the outside-networks to one of the virtual machines. so basically a port-redirect would be all necessary.

    The VPN-Connections are built-up with the public ip-adresses of the physical server as endpoint. if i use the ip of the virtual internal ip (192.168.137.1) or the complete subnet (192.168.137.0/24) the vpn-connection does not work. because of this, the complete traffic to this server does go the way through the VPN-Tunnel. I tried to create a port-forward using the NAT of R&RAS but this seems to work over the external interface, but not through the vpn-tunnel.

    the simple question is: how can i solve this?

    and btw - is there any solution for the ping-problem?

    any hint would be great!

    Sunday, August 4, 2013 11:31 PM

Answers

  • i had have opened a case with microsoft and the answer is simple: this is not supported! IPSEC-Tunnels does not work together with activated NAT.

    of course, we need a propper working solution, so we will install a VM with a linux as router.


    • Marked as answer by Comfine Wednesday, August 28, 2013 8:06 AM
    • Edited by Comfine Wednesday, August 28, 2013 8:07 AM
    Wednesday, August 28, 2013 8:05 AM

All replies

  • Hi,

    Thanks for the post and sorry for the delay.

    Firstly, if you enable RRAS, you may need to configure proper settings to make it work.

    Enable RRAS as a LAN and WAN Router

    http://technet.microsoft.com/en-us/library/dd458974.aspx

    Routing

    http://technet.microsoft.com/en-us/library/dd469793.aspx

    Secondary, with NAT, you may not enable to ping due to ICMP messages is disabled by default.

    Enable and Configure NAT

    http://technet.microsoft.com/en-us/library/dd469812.aspx

    Allow or deny ICMP messages

    http://technet.microsoft.com/en-us/library/cc778310(v=ws.10).aspx

    If issue persists, would you please provide us network diagram for further research.

    Hope this helps.


    Best Regards
    Jeremy Wu

    Friday, August 9, 2013 9:51 AM
  • Hi Jerremy,

    thanks for your reply first. The Routing and RAS is enabled correctly as described in your first link. the NAT is working also correct. your third link gave me some good information: on my machine there is no TAB called ICMP. I suppose, it's because we are using Server 2012. I try to find out how i can enable this or wehre the options for this stuff has gone.

    anyway, here is a diagramm of the network:

    what i need is a rdp-connection between client2 and win7 virtual.

    for this reason, i need a port-forward on the hypervhost Terminal-Server for some port, lets take 12345, to 3389 on Win7-Virtual,

    as alternative a proper working VPN between "virtual net" of the terminal-server hyper-v-host and the customer-site-net's.

    right now i am able to connect to the customer site's networks from the hyperv-terminal-server (and the printers in this networks..), expect ping. i am not able to connect from any virtual machine to the customers networks.

    from the customers networks i'm only able, to connect to the terminal-server over the public ip123.234.123.234, as i configured this as vpn-endpoint. if i use the virtual ip of the terminal-server (192.168.137.1) the vpn-connection does not work (not in my tested configurations..).

    from the customers networks any data to the terminal-server goes through the vpn-connection, so a portforward with NAT on the virtual interface "external" does not work of course.

    if i enable NAT on the interface "internal" the connection between physical and virtual machines is broken somehow (connection between exchange and outlook (RPC) does not work any more for example... so this is no solution also - also the wanted port-forward did not work anyway while enable this on the internal interface..






    • Edited by Comfine Saturday, August 10, 2013 1:55 PM
    Saturday, August 10, 2013 1:11 PM
  • here are some screenshots of the configuration:

    Saturday, August 10, 2013 1:33 PM
  • Saturday, August 10, 2013 1:34 PM
  • as you can see there is no tab called "icmp"

    we need this for the exchange owa..it's working fine..

    Saturday, August 10, 2013 1:35 PM
  • after reading this technet-form-thread

    i created two new firewall rules to allow ALL ICMP Traffic for any device. i also switched the ipsec-exception-option for icmp from off to on... but ping is still not working



    maybe this is a bug or it's by design of the virtual-switch / NAT implementation and this two things cannot work correct together?

    • Edited by Comfine Saturday, August 10, 2013 2:15 PM
    Saturday, August 10, 2013 2:09 PM
  • earlier i created a thread regarding the ping-problem, see here

    maybe this helps someone to understand my problem....

    i would be very happy, to find a solution for that...


    • Edited by Comfine Saturday, August 10, 2013 2:46 PM
    Saturday, August 10, 2013 2:46 PM
  • i had have opened a case with microsoft and the answer is simple: this is not supported! IPSEC-Tunnels does not work together with activated NAT.

    of course, we need a propper working solution, so we will install a VM with a linux as router.


    • Marked as answer by Comfine Wednesday, August 28, 2013 8:06 AM
    • Edited by Comfine Wednesday, August 28, 2013 8:07 AM
    Wednesday, August 28, 2013 8:05 AM